Cleveland Federal Reserve HackedMalaysian Caught with 400K Stolen Cards
Lin Mun Poo, a Malaysian national, faces a four-count indictment that charges him with hacking into computer systems and the possession of more than 400,000 stolen credit and debit card numbers.
"Cybercriminals continue to use their sophistication and skill as hackers to attack our financial and national security sectors," says Loretta Lynch, United States Attorney for the Eastern District of New York. Poo's arrest comes just a month after authorities arrested a big cyber crime gang in the U.S. and Europe for similar crimes.
When he arrived in New York on Oct. 21, he was arrested hours later by Secret Service agents. Poo, who is being held in pre-trial detention, "made a career of compromising computer servers belonging to financial institutions, defense contractors and major corporations, among others, and selling or trading the information," says Lynch.
'Massive Quantity' of Stolen DataBefore his arrest, Poo had planned to get additional stolen financial account information from other hackers. authorities say. When Secret Service agents seized his heavily encrypted laptop, they found it contained "a massive quantity" of financial account data and personal identifying information that Poo had allegedly obtained by hacking into computer systems.
The list of victims includes FedComp, a data processor for federal credit unions. With access to FedComp's computers, Poo had unauthorized access to the data of federal credit unions, including the Firemen's Association of the State of New York and the Mercer County New Jersey Teachers. Poo also is charged with breaking into computer servers of a number of major financial institutions and companies, including a computer network of the Federal Reserve Bank of Cleveland, Ohio, by exploiting a security vulnerability. The bank states Poo only broke into a test computer system and didn't access any sensitive information.
Security expert Avivah Litan, an analyst at Gartner, says while it isn't clear how Poo got in to the Federal Reserve's system, this hack "highlights the need for PCI enforcement at banks, including government banks -- not just at merchants and payment processors." She points out banks have always "wiggled out" of formal PCI data security enforcement and audits. "Merchants have been complaining about this lopsided effort for years," Litan says.
Defense Contractor HackedPoo's cybercrime spree, according to authorities, extended to the national security sector. Court filings show that in August 2010 he allegedly hacked into the computer system of a Department of Defense contractor that provides systems management for military transport and other operations, potentially compromising highly sensitive military logistics information.
Poo faces a maximum of 10 years if convicted on all charges.